Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Photos.zip virus from MSN Messenger

Started by webber , Jun 01 2007 09:18 PM

  • Please log in to reply

#1
webber
Posted 01 June 2007 - 09:18 PM

webber

    Member

  • Member
  • PipPip
  • 10 posts
Hi,

I accepted the file named photos.zip from my friend thru msn messenger.
It turned out to be a virus or some kind, where it keeps automatically sending the same files to all of my friends in my msn list.
I have deleted the files from C:/WINDOW/Photos.zip but it still sends the files out.
I cannot find where the file is now.

I need help to remove this.
I heard that this is a Trojan virus, is it true?
I am looking for a help as well as my other friends.

Thanks
  • 0

Advertisements

#2
loophole
Posted 01 June 2007 - 09:23 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
webber
Posted 01 June 2007 - 10:00 PM

webber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi :whistling:

Thank you in advance for your assistance.
Please see below the logs.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-03-07 17:05]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 13:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 13:57]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 19:04]
"TpShocks"="TpShocks.exe" [2005-11-07 11:14 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 14:00]
"TP4EX"="tp4ex.exe" [2005-10-17 01:11 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 02:22]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-15 01:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 23:27]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-21 21:00]
"@"="" []
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-28 01:53]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 01:12]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 01:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-22 00:33]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-31 12:21]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 19:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-03-18 19:07]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 08:45]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 11:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 18:10]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-10 03:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{C18CB958-9479-4D70-91AC-A85EABA1DCE9}"="syshosts.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Program Files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter]
"C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03d061cb-d758-11db-ae05-0014a4d49be0}]
AutoRun\command- F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37effcf3-058e-11db-ac3b-0014a4d49be0}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44a9c7b0-fd50-11db-ae69-0014a4d49be0}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cf4be12-aa88-11db-ad8c-0014a4d49be0}]
AutoRun\command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadcac92-e633-11da-abcc-0014a4d49be0}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
  • 0

#4
loophole
Posted 02 June 2007 - 05:31 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :whistling:

It appears you dint copy and paste the whole log, can you run it again and make sure you get it all from top to bottom
  • 0

#5
webber
Posted 02 June 2007 - 07:46 PM

webber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi,

Here it is.

((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))


2007-06-02 11:52 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 15:37 22,016 --a------ C:\WINDOWS\system32\syshosts.dll
2007-05-22 15:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-15 14:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-14 18:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-05-14 18:26 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-14 18:25 <DIR> d-------- C:\Program Files\MSBuild
2007-05-14 18:21 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-14 18:21 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-14 18:20 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-14 18:20 <DIR> d-------- C:\223c32f1ec5ac4cf46d9ad
2007-05-07 13:14 <DIR> d-------- C:\Program Files\Common Files\Skype


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-02 16:59:24 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-01 15:38:23 -------- d-----w C:\Program Files\MSN Messenger
2007-05-22 17:43:27 -------- d-----w C:\Program Files\Asset Services Management
2007-05-14 10:26:13 -------- d-----w C:\Program Files\Windows Media Connect
2007-05-11 01:27:56 -------- d-----w C:\DOCUME~1\jliwang\APPLIC~1\Skype
2007-05-07 05:14:53 -------- d-----w C:\Program Files\Skype
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-22 22:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-22 22:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 12:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-03-07 17:05]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 13:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 13:57]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 19:04]
"TpShocks"="TpShocks.exe" [2005-11-07 11:14 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 14:00]
"TP4EX"="tp4ex.exe" [2005-10-17 01:11 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 02:22]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-15 01:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 23:27]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-21 21:00]
"@"="" []
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-28 01:53]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 01:12]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 01:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-22 00:33]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-31 12:21]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 19:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-03-18 19:07]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 08:45]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 11:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 18:10]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-10 03:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{C18CB958-9479-4D70-91AC-A85EABA1DCE9}"="syshosts.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Program Files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter]
"C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03d061cb-d758-11db-ae05-0014a4d49be0}]
AutoRun\command- F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37effcf3-058e-11db-ac3b-0014a4d49be0}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44a9c7b0-fd50-11db-ae69-0014a4d49be0}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cf4be12-aa88-11db-ad8c-0014a4d49be0}]
AutoRun\command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadcac92-e633-11da-abcc-0014a4d49be0}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe


Contents of the 'Scheduled Tasks' folder
2007-06-02 17:01:07 C:\WINDOWS\tasks\PMTask.job
  • 0

#6
loophole
Posted 03 June 2007 - 03:26 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:



Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "fix.reg" WITH THE QUOTES and save it on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{C18CB958-9479-4D70-91AC-A85EABA1DCE9}"=- 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cf4be12-aa88-11db-ad8c-0014a4d49be0}]

after saving as instructed above, please close notepad. You will now have a file on your desktop called fix.reg. Please double click it and allow it to merge with the registry

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\syshosts.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Pleas run combofix again and post the log, also let me know if this solves your problem

Thanks
  • 0

#7
webber
Posted 04 June 2007 - 03:00 AM

webber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi :whistling:,

After I ran the OTMoveIt, it shows the message

Cannot create file C:\_OTMoveIt\MovedFiles\06042007_165323.log

I have repeated the procedure three times and it keeps giving me the same error message.
What do you think?

Thank you
  • 0

#8
loophole
Posted 04 June 2007 - 01:55 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Not sure, go ahead and rescan with combofix and post the log :whistling:
  • 0

#9
webber
Posted 07 June 2007 - 10:49 AM

webber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi,

Here is the latest HiJackThis log.

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-02 11:52 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-22 15:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-15 14:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-14 18:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-05-14 18:26 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-14 18:25 <DIR> d-------- C:\Program Files\MSBuild
2007-05-14 18:21 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-14 18:21 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-14 18:20 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-14 18:20 <DIR> d-------- C:\223c32f1ec5ac4cf46d9ad


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 12:03:35 -------- d-----w C:\Program Files\Asset Services Management
2007-06-07 07:53:01 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-01 15:38:23 -------- d-----w C:\Program Files\MSN Messenger
2007-05-14 10:26:13 -------- d-----w C:\Program Files\Windows Media Connect
2007-05-11 01:27:56 -------- d-----w C:\DOCUME~1\jliwang\APPLIC~1\Skype
2007-05-07 05:14:53 -------- d-----w C:\Program Files\Skype
2007-05-07 05:14:53 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-22 22:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-22 22:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 12:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-03-07 17:05]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 13:57]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 13:57]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-28 19:04]
"TpShocks"="TpShocks.exe" [2005-11-07 11:14 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-12-15 14:00]
"TP4EX"="tp4ex.exe" [2005-10-17 01:11 C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 02:22]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-15 01:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 23:27]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-21 21:00]
"@"="" []
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2005-04-28 01:53]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 01:12]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 01:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-22 00:33]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-31 12:21]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"QCWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 19:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [2005-03-18 19:07]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 08:45]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 11:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 18:10]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2005-11-15 19:44]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-10 03:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{C18CB958-9479-4D70-91AC-A85EABA1DCE9}"="syshosts.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Program Files\IBM fingerprint software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter]
"C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03d061cb-d758-11db-ae05-0014a4d49be0}]
AutoRun\command- F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37effcf3-058e-11db-ac3b-0014a4d49be0}]
AutoRun\command- E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44a9c7b0-fd50-11db-ae69-0014a4d49be0}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadcac92-e633-11da-abcc-0014a4d49be0}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe


Contents of the 'Scheduled Tasks' folder
2007-06-07 10:12:26 C:\WINDOWS\tasks\PMTask.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 00:40:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
  • 0

#10
loophole
Posted 11 June 2007 - 07:04 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Sorry for the delay, work ihas been hectic

How is the computer behaving
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP